CVE-2005-4890
Published: 4 November 2019
There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.
Notes
Author | Note |
---|---|
mdeslaur | sudo is also apprently vulnerable to this, so the use_pty option was added. We need to verify versions, and make sure it is actually getting honored (apparently the option wasn't working: http://www.openwall.com/lists/oss-security/2011/06/22/4) |
jdstrand | sudo in 12.04 and higher has the fix for use_pty. A small patch (http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1) can be used to enable it on Ubuntu 11.04 and 11.10. |
mdeslaur | Please note that use_pty is not enabled by default in sudo, it must be specifically enabled. |
seth-arnold | su interactive has the same problem, no fix known on 20130305 |
Priority
Status
Package | Release | Status |
---|---|---|
shadow Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
disco |
Not vulnerable
|
|
eoan |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
hardy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
|
|
lucid |
Ignored
(end of life)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Not vulnerable
(1:4.1.5.1-1ubuntu9)
|
|
upstream |
Released
(1:4.1.5-1)
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
sudo Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
disco |
Not vulnerable
|
|
eoan |
Not vulnerable
|
|
focal |
Not vulnerable
|
|
groovy |
Not vulnerable
|
|
hardy |
Ignored
(end of life)
|
|
hirsute |
Not vulnerable
|
|
lucid |
Ignored
(end of life)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Ignored
(end of life)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Not vulnerable
(1.8.3p2-1ubuntu2)
|
|
quantal |
Not vulnerable
|
|
raring |
Not vulnerable
|
|
saucy |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
upstream |
Released
(1.8.2)
|
|
utopic |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
Patches: upstream: http://www.sudo.ws/repos/sudo/rev/aea971f1456a upstream: http://www.sudo.ws/repos/sudo/rev/e7b167f8a6e5 upstream: http://www.sudo.ws/repos/sudo/rev/26120a59c20e upstream: http://www.sudo.ws/repos/sudo/rev/8d95a163dfc1 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.8 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- http://www.openwall.com/lists/oss-security/2011/06/02/3
- http://www.openwall.com/lists/oss-security/2012/11/05/8
- http://www.ush.it/2009/01/06/25c3-ccc-congress-2008-tricks-makes-you-smile/
- http://www.redhat.com/archives/fedora-devel-list/2004-July/msg01314.html
- https://www.cve.org/CVERecord?id=CVE-2005-4890
- NVD
- Launchpad
- Debian
Bugs
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=262454
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628843 (shadow)
- https://bugzilla.redhat.com/show_bug.cgi?id=710208
- https://bugzilla.redhat.com/show_bug.cgi?id=173008
- https://bugzilla.redhat.com/show_bug.cgi?id=199066
- https://bugzilla.redhat.com/show_bug.cgi?id=479145
- http://www.sudo.ws/bugs/show_bug.cgi?id=142